I have a Microsoft Graph & MSA/AAD v2 daemon which is exclusively for Server Side API access. In the Azure Portal I have granted admin consent for my Microsoft account (MSA) for User.Read.All and Files.Read.All.
I can successfully get a token, and I have tried both /me/drive/root and /users/{user_guid}/drive/root with the same return result:
GraphError {
statusCode: 400,
code: 'BadRequest',
message: 'Tenant does not have a SPO license.',
requestId: 'guid',
date: 2020-06-08T09:53:12.000Z,
body: '{"code":"BadRequest","message":"Tenant does not have a SPO license.","innerError":{"request-id":"guid","date":"2020-06-08T02:53:12"}}'
}
Note: I'm aware SPO refers to SharePoint Online & OneDrive for Business, however this is for a Microsoft account user, and I am intending to access their OneDrive Consumer (i.e. http://onedrive.live.com).
Is the Graph incapable of accessing OneDrive for Consumers? Or is it only possible with Delegated permissions? I did not see any reference in both the Graph and OneDrive dev docs.
After talking with the Microsoft Identity team, it is not currently a supported scenario to access a Microsoft account user's personal OneDrive (or other Microsoft Graph) content using the client_credentials grant type.
You can obtain admin consent for an MSA user, however those scenarios are limited to the MSA user operating as a guest user in your AAD tenant, or requires them to otherwise have an M365 license and associated SharePoint Online instance.
If you are looking to access an MSA user's content from a service, persisting the refresh token in the service and obtaining consent for offline_access currently appears to be the recommended method.